A quick look at the Sunrise Calendar app

Reading Time: 5 minutes

Now that Microsoft has purchased the Sunrise Calendar app, it's probably a good idea to take a closer look to that app and see what we are or will be dealing with before everyone panics (again). The Acompli Outlook app for iOS and Android (from now on referenced as just the Outlook app) has received praise regarding it's functionality and usability, but also a lot of criticism on security and compliancy. A major issue is the temporary caching of data and passwords by the Outlook app infrastructure and some basic ActiveSync security functionality is lacking. Microsoft is working hard to address (some) of these issues.

It can't hurt to investigate Sunrise Calendar to see what we can expect with this app from an admin's perspective with the knowledge we have about the Outlook app and the things that people are worried about. I wasn't familiar with the Sunrise app before Microsoft's purchase, so I might miss some features or quirks. I'll focus my attention on Exchange calendars.

Testing the app

The app is available for iOS, MacOS, Android and has a website. Initial configuration is quite simple, you can log in with a Facebook, Google account or your email address. The latter has to be used with a password. All of them can be used on all variations of the application (or service).

Within the app you can add different calendar sources, such as Google, Facebook and much much more via add ins. But as promised I will focus on Exchange Calendars and they are supported as well, however a little bit different.

After I added my Facebook and Google calender, I could see them almost immediately on the Sunrise website. I wasn't required to logon again or wasn't pinged for a second authorization code (I always use multi-factor authentication on internet services if possible). Basically every service added on either the web or the app is instantly added to the Sunrise account. This is because Sunrise uses Oauth.

However, my Exchange calenders added in the app weren't available on the web. This is because Exchange calendars are handled differently, the Sunrise app will copy the content from the local calendar to it's own app silo and manage it in-app. Within iOS it uses the Event kit framework, I couldn't find how it operates on Android but I assume it's the same principle. This would mean that there is no caching of data on their own servers, such as the Outlook app does  in order to provide a "Focused Inbox". It also explains that you can only select Exchange calendars already configured on the device and that you do not have to provide any credentials. 

Just to be sure I've checked my Exchange Online account for any new device partnerships. I couldn't find anything that indicated Sunrise created something new:

NoNewPartnerShips

I've also made some iPad and Android screenshots (click on image to get larger version):

Back-end information

IMG_0149Unfortunately I couldn't find a lot of information on how Sunrise actually works. In the Privacy Policy I could see statements that Sunrise is allowed to access you information, could be processed in multiple countries and that you consenting with this. However, this (probably) does not apply to Exchange data at the moment but it's certainly something to keep in mind whenever Exchange connectivity will change. It could also be an umbrella statement that applies to all other services (not just company related data), such as Facebook. I haven't studied the Terms of use very closely, but couldn't find anything shocking at first glance. Under 1.5 Mobile Devices and Services I could find this:

When you use the Application, our Application collects your location information from your GPS, pulls information from your local calendar and address book on your mobile device and also pushes information you enter into the App back to your calendar and/or address book, as detailed in our privacy policy. You hereby authorize us and our App to take such actions and access your calendar, address book and GPS.

To me this suggest that calendar information is stored locally on devices and in the services it originated from, however the Privacy Policy is describing a much broader approach on how your data is handled.

I could find two blog posts that show some technical background information: About iCloud explains why iCloud credentials are required instead of the local calendar API. As of version 2.11 they don't store credentials on their servers, but the app generates a token that is used and stored. Furthermore, they state that they use OAuth whenever possible. That is good news.

In the older Security Update a security breach of their database provider shows a bit background information of what is stored and what the impact of a breach can have. It's probably out-dated as the functionality has changed over time, but still good info. On a side note, they will probably move from MongoHQ (now Compose) to Microsoft Azure SQL.

The future?

Hopefully they will implement extra functionality like Shared Calendars, however that would require a major change within ActiveSync (EAS) or the app has to make (direct) connection to Exchange servers much like the current OWA app for devices (also known as MOWA) does. Personally I think the app will come to support direct connections, as the current strategy still relies on the native ActiveSync implementation on iOS and Android devices and those are not without issues. I always held the assumption that MOWA was an attempt to address those EAS issues and provide more functionality.

In any case, there seem to be plans without ETA to add Exchange Calender support in the web. That suggest a direct connection to Exchange (or just Exchange Online?). Seeing how Sunrise is now handling other calendars I would not be surprised that it will cache calendar items on their own servers just like the Outlook app does. Perhaps that Microsoft will use Oauth for Office 365 and leave ActiveSync (with caching) for on-premises deployments. But I also wouldn't be surprised that the Sunrise Calendar will use some Outlook app back end (on Azure).

It's safe to say it'll be renamed, just like the Outlook app. My guess is that it will be renamed to be on-par with Universal Office for Windows 10, which has Outlook Mail and Outlook Calendar with the first being the original and more email focused Acompli app and the second the Sunrise Calendar. Perhaps we will see some features cross-over between now-Windows versions and the Universal Office apps.

Summary

Sunrise Calendar currently doesn't use a direct connection to Exchange, but copies the data from local device calendars into it's own data silo. As far as I could detect, there is no caching of Exchange data on any third party servers as it is with the Outlook app. That might change however.

Due to the local caching of Exchange calendars and the reliance of the local calendar, all caveats regarding ActiveSync still exists although not directly in the Sunrise app. The data still has to be synced to the device first, before Sunrise can access it. This includes no access to Shared Calendars and a remote wipe will have to reset the device to factory settings in order to wipe the date within the Sunrise app (i.e. no granular wiping).

You currently cannot block the Sunrise app directly via Exchange ABQ, if this is required you have to fall back to Mobile Device Management.

Sunrise doesn't store credentials and prefers the use of Oauth whenever they can. This would suggest that a direct connection to Exchange Online in the future is probable. For on-premises Exchange it might fall back to ActiveSync in a way the Outlook app does (with caching on their own servers). The moment that on-premises Exchange can be accessed is an important moment to check how Sunrise works at that time.

 

Now, this was an initial quick look into this app with a focus towards Exchange data. For now nothing shocking has popped up. Have you found anything worth mentioning? Message me or leave a comment.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.